MALICIOUS
202
Risk Score
Heuristics 5
-
ClamAV: Xls.Malware.Valyria-6934880-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-6934880-0
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
OLE object data medium RTF_OBJDATARTF contains 10 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off00002b58.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x2B58 | 24129 bytes |
SHA-256: b9a2001d63952716f0bd7a459ed4962740ac4651fd363c4fe15c185ea386a879 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_01_off00014263.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x14263 | 24129 bytes |
SHA-256: ca7d8dcb9bfcd5ad0cb68a1f1b084ab939c9b101d24f239d034fad0242dd5d41 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_02_off00025970.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x25970 | 24129 bytes |
SHA-256: 48e419c71dbabd28f9aabbd069e3990f021768224d7a04bb699dfef03fb844a7 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_03_off0003707d.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x3707D | 24129 bytes |
SHA-256: f0a5afe2abcdf81bfde8279cd9492d2b748206e8352dd50459dcfd6c0028c10d |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_04_off0004878a.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x4878A | 24129 bytes |
SHA-256: 3bdd3482106dfc31b428550329187a27e7964e3723905501fe575c2977f8d34a |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_05_off00059e97.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x59E97 | 24129 bytes |
SHA-256: a9658a72fd5033084f2c4b228c6e2e100e46a9f87ef2087b9a1f4248341740e6 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_06_off0006b5a4.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x6B5A4 | 24129 bytes |
SHA-256: c1721a7c3ad779007d09b65dc59537313e3d0e41db2eff9aaef21d826515a658 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_07_off0007ccb1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x7CCB1 | 24129 bytes |
SHA-256: f11f030cb9525ec50c98b32a5dacc1665275f080eb7f26eda1de0a37a589701c |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_08_off0008e3be.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x8E3BE | 24129 bytes |
SHA-256: a39c35f1ff18800f9f9c3779fbc99124c32669efc246ce778c62bff25bd23037 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
objdata_09_off0009facb.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x9FACB | 24641 bytes |
SHA-256: cb458f21f1d35f6eb98cb7f37ef6b2d12a85df6ec9b22e1980b906810dbc294d |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-6934880-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.